The purpose of these recommendations is to briefly inform about potential safety and security risks and other areas of importance when using Indivd X. The information in this document does not constitute professional advice and we encourage you to seek such support from an expert if necessary.
Indivd use cameras and infrastructure managed and controlled by the data controller as regulated in the agreement. Streamed video data for anonymization should not be stored, unless clearly motivated by other lawful purposes (e.g. security cameras) and the storage is handled appropriately for these. This document contains general information to potential safety and security risks based on a risk assessment by IBM Security conducted 2020-04-16, as well as factors that can be taken into account when using Indivd X.
Article 24 of the GDPR says that the controller shall implement appropriate technical and organisational measures. The measures shall include the implementation of appropriate data protection policies by the controller.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Article 32 of the GDPR says that the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
1. the pseudonymisation and encryption of personal data.
2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
The following measures shall be implemented to address the encryption of the personal data:
- Any connection to the camera network from an outside source should be encrypted. If the camera network is partly bridged over a public or otherwise vulnerable network, this bridging should also be encrypted. Encryption should follow up-to-date industry standards, such as AES.
Confidentiality Of The Processing Systems And Of The Services
This refers to protecting information from being accessed by unauthorized parties. The following measures could be implemented to address the confidentiality of the processing systems and of the Services:
- Prevent unauthorized persons from gaining access to data processing systems with which personal data are processed or used,
- cameras should be password protected. Access to any passwords should be limited to the necessary personnel and systems and be stored in a secure place. Passwords should be of good quality and follow NIST SP 800-41,
- the camera network should be protected by an appropriately configured firewall and follow industry standards such as NIST SP 800-63B,
- video data is streamed for anonymization and should not be stored unless clearly motivated by other purposes (e.g. security cameras) and the storage is handled appropriately for these,
- the camera network and any local server should be reasonably protected from physical access from unauthorized parties and follow industry standards.
Integrity Of The Processing Systems And Of The Services
This refers to the capability of performing correctly according to the original specification of the system under various adversarial conditions. The following measures could be implemented to address the confidentiality of the processing systems and of the Services:
- Protection by technical and organizational means regarding authorizations, protocols/logs including analyzing protocols, audits,
- logging of incoming and outgoing connections is recommended and follows industry standards such as NIST SP 800-92.
Process For Regularly Testing, Assessing And Evaluating The Effectiveness Of Technical And Organizational Measures
The following measures shall be implemented to address the regularly testing, assessing and evaluating of the effectiveness of technical and organizational measures:
- Security concept,
- review by the data protection officer,
- external reviews, audits, certifications.
Feel free to contact us at firstname.lastname@example.org if you have any questions or concerns about potential safety and security risks.